|
PHP - Moved: Displaying Soc. Security Number
This topic has been moved to MySQL Help.
http://www.phpfreaks.com/forums/index.php?topic=354650.0 Similar TutorialsThis topic has been moved to MySQL Help. http://www.phpfreaks.com/forums/index.php?topic=334480.0 Hi friends,
Another security issue but this time its regarding outputting data from a DB to a browser. Please have a look at the code below which displays some output fetched from a DB and sends it to a browser.
1. If I just wish to display this output on a screen and not provide the user with any buttons or hyperlinks to interact with the information, would I still need to sanitize the output before echoing it to the screen ?
2. If I was to make at least one of the fields a hyperlink, so that I could then display some related information on another webpage, what security concerns would I need to address in my code?
3. If I was to add a button against each of these records, on each row, and then select some related information on another webpage after processing the button handler, what would be the security concerns that I should address for the code below.
Thanks very much.
<table>
<tr>
<th> S.No. </th>
<th> Name </th>
<th> Age </th>
<th> City </th>
<th> Cell </th>
<th> Email</th>
</tr>
<?php
$cnt = 1;
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
echo "<tr>";
echo "<td>".$cnt++."</td>";
echo "<td>".$row['Name']. "</td>";
echo "<td>".$row['Age']. "</td>";
echo "<td>".$row['City']. "</td>";
echo "<td>".$row['Cell']. "</td>";
echo "<td>".$row['Email']. "</td>";
echo "</tr>";
}
?>
</table>
This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=314459.0 This topic has been moved to Other Web Server Software. http://www.phpfreaks.com/forums/index.php?topic=355702.0 This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=351660.0 This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=353714.0 Hi.. I encountered problem in displaying joborder number or JO_No inside while loop. I want to happen is only JO_No will display after I click the Approved button and it will only appear on the row where the Approved button was click. Now in my code the JO_No was display automatically in the row of JO_No . here is my code: <?php error_reporting(0); date_default_timezone_set("Asia/Singapore"); //set the time zone $con = mysql_connect('localhost', 'root',''); if (!$con) { echo 'failed'; die(); } mysql_select_db("mes", $con); $Date_Shelve =date('Y-m-d H:i:s'); ?> <html> <head> <title>Job Order</title> <link rel="stylesheet" type="text/css" href="kanban.css" /> </head> <body> <div id="SR_date"> <label>Date :</label> <input type="text" name="Date_Shelve" id="Date_Shelve" value="<?php echo $Date_Shelve; ?>" size="16" readonly="readonly" style="border: none;"> </div> <div id="kanban_table"> <table width="auto"> <th> JO No.</th> <th> ETD </th> <th> PO No. </th> <th> SKU Code </th> <th> Description </th> <th> PO Req </th> <th> Requirements </th> <th> Priority</th> <?php $sql = "SELECT ETD, PO_No, SKUCode, Description, POReq FROM sales_order"; $res_so = mysql_query($sql, $con); $Approved = isset($_POST['priority']); if ($Approved) { $PO_No = $_POST['PO_No']; //----I want to display only the jo_number after click the approved button and it only display on the row where I click the approved button--- $sql = "SELECT jo_number FROM job_order ORDER BY jo_date DESC LIMIT 1"; $result = mysql_query($sql, $con); if (!$result) { echo 'failed'; die(); } $total = mysql_num_rows($result); if ($total <= 0) { $currentSRNum = 1; $currentYear = (int)(date('y')); $currentMonth = (int)(date('m')); $currentDay = (int)(date('d')); $currentSRYMD = substr($row['jo_number'], 0, 6); $currentYMD = date("ymd"); if ($currentYMD > $currentSRYMD) { $currentSRNum = 1; } else { $currentSRNum += 1; } } else { //---------------------------------------- $row = mysql_fetch_assoc($result); $currentSRNum = (int)(substr($row['jo_number'],0,3)); $currentSRYear = (int)(substr($row['jo_number'],2,2)); $currentSRMonth = (int)(substr($row['jo_number'],0,2)); $currentSRNum = (int)(substr($row['jo_number'],6,4)); $currentYear = (int)(date('y')); $currentMonth = (int)(date('m')); $currentDay = (int)(date('d')); $currentSRYMD = substr($row['jo_number'], 0, 6); $currentYMD = date("ymd"); if ($currentYMD > $currentSRYMD) { $currentSRNum = 1; } else { $currentSRNum += 1; } } $yearMonth = date('ymd'); $currentSR = $currentYMD . sprintf("%04d", $currentSRNum); //JO_No } while($row = mysql_fetch_assoc($res_so)){ echo "<form name='joborder_form' action='' method='post'>"; $PO_No = $row['PO_No']; echo "<tr> <td><input type='text' name='JO_No' id='JO_No' value='$currentSR' style='border:none;width:auto;' size='10'></td> <td><input type='text' name='ETD' id='ETD' value='$row[ETD]' style='border:none;width:auto;' size='10'></td> <td><input type='text' name='PO_No' id='PO_No' value='$row[PO_No]' style='border:none;' size='30'></td> <td><input type='text' name='SKUCode' id='SKUCode' value='$row[SKUCode]' style='border:none;' size='15'></td> <td><input type='text' name='Description' id='Description' value='$row[Description]' style='border:none;' size='35'></td> <td><input type='text' name='POReq' id='POReq' value='$row[POReq]' style='border:none;width:auto;' size='10'></td> <td> </td> <td><input type='submit' name='priority' value='Approved' id='priority'></td> </tr>"; echo "</form>"; } ?> </table> </div> </body> </html> I attach the sample image of my form. Any help is highly appreciated Thank you I'm getting the dreaded " Invalid parameter number: number of bound variables does not match number of tokens" error and I've looked at this for days. Here is what my table looks like:
| id | int(4) | NO | PRI | NULL | auto_increment | | user_id | int(4) | NO | | NULL | | | recipient | varchar(30) | NO | | NULL | | | subject | varchar(25) | YES | | NULL | | | cc_email | varchar(30) | YES | | NULL | | | reply | varchar(20) | YES | | NULL | | | location | varchar(50) | YES | | NULL | | | stationery | varchar(40) | YES | | NULL | | | ink_color | varchar(12) | YES | | NULL | | | fontchosen | varchar(30) | YES | | NULL | | | message | varchar(500) | NO | | NULL | | | attachment | varchar(40) | YES | | NULL | | | messageDate | datetime | YES | | NULL |Here are my params:
$params = array(
':user_id' => $userid,
':recipient' => $this->message_vars['recipient'],
':subject' => $this->message_vars['subject'],
':cc_email' => $this->message_vars['cc_email'],
':reply' => $this->message_vars['reply'],
':location' => $this->message_vars['location'],
':stationery' => $this->message_vars['stationery'],
':ink_color' => $this->message_vars['ink_color'],
':fontchosen' => $this->message_vars['fontchosen'],
':message' => $messageInput,
':attachment' => $this->message_vars['attachment'],
':messageDate' => $date );
Here is my sql:
$sql = "INSERT INTO messages (user_id,recipient, subject, cc_email, reply, location,stationery, ink_color, fontchosen, message,attachment) VALUES( $userid, :recipient, :subject, :cc_email, :reply, :location, :stationery, :ink_color, :fontchosen, $messageInput, :attachment, $date);";
And lastly, here is how I am calling it:
$dbh = parent::$dbh;
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
if (empty($dbh)) return false;
$stmt = $dbh->prepare($sql);
$stmt->execute($params) or die(print_r($stmt->errorInfo(), true));
if (!$stmt) { print_r($dbh->errorInfo()); }
I know my userid is valid and and the date is set above (I've echo'd these out to make sure). Since the id is auto_increment, I do not put that in my sql (though I've tried that too), nor in my params (tried that too). What am I missing? I feel certain it is something small, but I have spent days checking commas, semi-colons and spelling. Can anyone see what I'm doing wrong?
This topic has been moved to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=345873.0 This topic has been moved to PHP Applications. http://www.phpfreaks.com/forums/index.php?topic=345334.0 This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=316359.0 This topic has been moved to MySQL Help. http://www.phpfreaks.com/forums/index.php?topic=325939.0 This topic has been moved to MySQL Help. http://www.phpfreaks.com/forums/index.php?topic=311502.0 This topic has been moved to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=353613.0 This topic has been moved to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=317036.0 This topic has been moved to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=311051.0 This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=353345.0 This topic has been moved to CSS Help. http://www.phpfreaks.com/forums/index.php?topic=309496.0 This topic has been moved to HTML Help. http://www.phpfreaks.com/forums/index.php?topic=352551.0 This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=326408.0 |
|||||||